augrep – linux man page

August 25th, 2009 | Tags: aubin, aucat, auditd, augrep, laus

augrep – print audit records matching a pattern

USAGE
       augrep [OPTIONS] [-f FILENAME]

DESCRIPTION
       Augrep searches audit log input FILENAME for specific specified options
       to output data of an audit log into a readable  format  and  allow  the
       user to specify what is to be in the output.  By default, augrep prints
       all records.

GENERAL OPTIONS
       -f FILENAME, --filename=FILENAME
              Process audit records read from FILENAME.
              Default is "/var/log/audit".

       -?, --help
              Print out help screen.

FORMAT OPTIONS
       -h, --header
              Print out a header at the top  of  output  that  identifies  the
              columns of the output.

       -t TIMEFORMAT, --time=TIMEFORMAT
              Change format of time that is output.

              iso8601
                     print   time   in  ISO  8601  format,  i.e.  as  YYYY-MM-
                     DDThh:mm:ss.

              unix   print tine in standard ctime(3) format,  i.e.  DD  MM  YY
                     hh:mm:ss .

              raw    print time as number of seconds since Jan 1, 1970.

              none   do not print any time stamps.

              The default format is iso8601.

       -v, --verboseall
              Print  out  all  variables  in  message,  not all are printed by
              default.

              default:
                     Time, Seqence Number, PID, Login ID, Data

              all:   Time, Sequence Number, PID, Login ID, EUID,  SUID,  RUID,
                     FSUID, EGID, RGID, SGID, FSGID, Session Number, Data

GREP OPTIONS
       -a SESSION_ID, --auditid=SESSION_ID
              Find audit record(s) with specified session id.

       -l LOGIN_NAME, --loginid=LOGIN_NAME
              Find audit record(s) with specified login id.
              (NOTE:  This  option  cannot be used if option "uid" has already
              been specfied.)

       -n SEQUENCE_NUMBER, --sequencenum=SEQUENCE_NUMBER
              Find audit record(s) with specified sequence number.

       -p PID, --pid=PID
              Find audit record(s) with specified pid.

       -u UID, --uid=UID
              Find audit record(s) with specified uid.
              (NOTE: This option  cannot  be  used  if  option  "loginid"  has
              already been specfied.)

        --euid=EUID
              Find audit record(s) with specified euid.

        --egid=EGID
              Find audit record(s) with specified egid.

        --fsuid=FSUID
              Find audit record(s) with specified fsuid.

        --fsgid=FSGID
              Find audit record(s) with specified fsgid.

        --ruid=RUID
              Find audit record(s) with specified ruid.

        --rgid=RGID
              Find audit record(s) with specified rgid.

        --suid=SUID
              Find audit record(s) with specified suid.

        --sgid=SGID
              Find audit record(s) with specified sgid.

       -s STARTT , --starttime=STARTT
              Find  audit record(s) that started at or after a specified start
              time.
              (Note: Time must be in iso8601 Format "YYYY-MM-DDThh:mm:ss")

       -x ENDT, --endtime=ENDT
              (Note: Time must be in iso8601 Format "YYYY-MM-DDThh:mm:ss")

       -e EVENT, --event=EVENT
              Find audit record(s) with specified event type.
              Options:
                   "LOGIN"         Find login messages.
                   "NETLINK"       Find netlink messages.
                   "SYSCALL"       Find syscall messages.
                   "TEXT"          Find messages that come from userspace
                                   tools (ex. cron & at)
                   "EXIT"          Find exit messages.

       LOGIN options:

       -A IP_ADDRESS, --address=IP_ADDRESS
              Find LOGIN message(s)with specified ip address.

       -E EXECUTE, --execute=EXECUTE
              Find LOGIN message(s) with specified executable.

       -H HOSTNAME, --hostname=HOSTNAME
              Find LOGIN message(s) with specified hostname.

       -T TERMINAL, --terminal=TERMINAL
              Find LOGIN message(s) with specified terminal.

       NETLINK options:

       -G GROUP, --group=GROUP
              Find NETLINK message(s) with specified group.

       -I GROUP, --dstgroup=DSTGROUP
              Find NETLINK message(s) with specified dstgroup.

       -L RESULT, --netresult=RESULT
              Find NETLINK message(s) with specified result.

       TEXT options:

       -U AUDIT_TAG, --audtag=AUDIT_TAG
              Find TEXT message(s) that contain AUDIT_TAG.  (Note DO NOT place
              ’[’ or ’]’ around tag)

       -X DATA, --textdata=DATA
              Find TEXT message(s) that contain DATA.

       SYSCALL options:

       -S name, --syscall=name
              Find  system  call  messages  matching the given name. This also
              covers calls such as accept and listen,  which  are  multiplexed
              through socketcall on some architectures.

       -M MAJOR_NUMBER, --major=MAJOR_NUMBER
              Find SYSCALL message(s) with specified major number.

       -N MINOR_NUMBER, --minor=MAJOR_NUMBER
              Find SYSCALL message(s) with specified minor number.

       -R RESULT, --sysresult=RESULT
              Find SYSCALL message(s) with specified result.

       -D DATA, --sysdata=DATA
              Find  SYSCALL  message(s)  that  contain specified DATA.  (Note:
              This option does not support sycall ioctls)

       EXIT options:

       -C EXIT_CODE, --exitcode=EXIT_CODE
              Find EXIT message(s) with specified exit code.

FILES
       /var/log/audit - default location of audit log file

COPYRIGHTS
       Copyright (C) 2003, International Business Machines Corp.
       Copyright (C) 2003, Suse Linux AG

AUTHORS
       Jerone Young
       Olaf Kirch

Leave a comment

Comments are closed.

« audbin – linux man page autoconf – linux man page »

TOP